About Security Update 2007-009

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.

Security Update 2007-009

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A format string vulnerability exists in Address Book's URL handler. By enticing a user to visit a maliciously crafted website, a remote attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of format strings. This issue does not affect systems running Mac OS X 10.5 or later.

CFNetwork

CVE-ID: CVE-2007-4709

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Visiting a malicious website could allow the automatic download of files to arbitrary folders to which the user has write permission

Description: A path traversal issue exists in CFNetwork's handling of downloaded files. By enticing a user to visit a malicious website, an attacker may cause the automatic download of files to arbitrary folders to which the user has write permission. This update addresses the issue through improved processing of HTTP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Sean Harding for reporting this issue.

ColorSync

CVE-ID: CVE-2007-4710

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Viewing a maliciously crafted image with an embedded ColorSync profile may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in the handling of images with an embedded ColorSync profile. By enticing a user to open a maliciously crafted image, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of images. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET) for reporting this issue.

Core Foundation

CVE-ID: CVE-2007-5847

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Usage of CFURLWriteDataAndPropertiesToResource API may lead to the disclosure of sensitive information

Description: A race condition exists in the CFURLWriteDataAndPropertiesToResource API, which may cause files to be created with insecure permissions. This may lead to the disclosure of sensitive information. This update addresses the issue through improved file handling. This issue does not affect systems running Mac OS X 10.5 or later.

CUPS

CVE-ID: CVE-2007-5848

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local admin user may be able to gain system privileges

Description: A buffer overflow issue exists in the printer driver for CUPS. This may allow a local admin user to gain system privileges by passing a maliciously crafted URI to the CUPS service. This update addresses the issue by ensuring that the destination buffer is sized to contain the data. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Dave Camp at Critical Path Software for reporting this issue.

Description: A memory corruption issue exists in the handling of Internet Printing Protocol (IPP) tags, which may allow a remote attacker to cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

CUPS

CVE-ID: CVE-2007-5849

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: If SNMP is enabled, a remote attacker may cause an unexpected application termination or arbitrary code execution

Description: The CUPS backend SNMP program broadcasts SNMP requests to discover network print servers. A stack buffer overflow may result from an integer underflow in the handling of SNMP responses. If SNMP is enabled, a remote attacker may exploit this issue by sending a maliciously crafted SNMP response, which may cause an application termination or arbitrary code execution. This update addresses the issue by performing additional validation of SNMP responses. This issue does not affect systems prior to Mac OS X 10.5. Credit to Wei Wang of McAfee Avert Labs for reporting this issue.

Desktop Services

CVE-ID: CVE-2007-5850

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Opening a directory containing a maliciously-crafted .DS_Store file in Finder may lead to arbitrary code execution

Description: A heap buffer overflow exists in Desktop Services. By enticing a user to open a directory containing a maliciously crafted .DS_Store file, an attacker may cause arbitrary code execution. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later.

Description: Multiple input validation issues exit in Adobe Flash Player Plug-in which may lead to arbitrary code execution. This update addresses the issue by updating Adobe Flash Player to version 9.0.115.0. Further information is available via the Adobe site at http://www.adobe.com/support/security/bulletins/apsb07-20.html Credit to Opera Software for reporting this issue.

Description: A directory traversal issue exists in GNU Tar. By enticing a local user to extract a maliciously crafted tar archive, an attacker may cause arbitrary files to be overwritten. This issue has been addressed by performing additional validation of tar files. This issue does not affect systems running Mac OS X 10.5 or later.

iChat

CVE-ID: CVE-2007-5851

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A person on the local network may initiate a video connection without the user's approval

Description: An attacker on the local network may initiate a video conference with a user without the user's approval. This update addresses the issue by requiring user interaction to initiate a video conference. This issue does not affect systems running Mac OS X 10.5 or later.

IO Storage Family

CVE-ID: CVE-2007-5853

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Opening a maliciously crafted disk image may lead to an unexpected system shutdown or arbitrary code execution

Description: A memory corruption issue exists in the handling of GUID partition maps within a disk image. By enticing a user to open a maliciously crafted disk image, an attacker may cause an unexpected system shutdown or arbitrary code execution. This update addresses the issue through additional validation of GUID partition maps. This issue does not affect systems running Mac OS X 10.5 or later.

Impact: Opening a maliciously crafted HTML file may lead to information disclosure or cross-site scripting

Description: Launch Services does not handle HTML files as potentially unsafe content. By enticing a user to open a maliciously crafted HTML file, an attacker may cause the disclosure of sensitive information or cross-site scripting. This update addresses the issue by handling HTML files as potentially unsafe content. Credit to Michal Zalewski of Google Inc. for reporting this issue.

Launch Services

CVE-ID: CVE-2007-6165

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Opening an executable mail attachment may lead to arbitrary code execution with no warning

Description: An implementation issue exists in Launch Services, which may allow executable mail attachments to be run without warning when a user opens a mail attachment. This update addresses the issue by warning the user before launching executable mail attachments. This issue does not affect systems prior to Mac OS X 10.5. Credit to Xeno Kovah for reporting this issue.

Mail

CVE-ID: CVE-2007-5855

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: SMTP accounts set up through Account Assistant may use plaintext authentication even when MD5 Challenge-Response authentication is available

Description: When setting up an SMTP account through Account Assistant, if SMTP authentication is selected, and if the server supports only MD5 Challenge-Response authentication and plaintext authentication, Mail defaults to using plaintext authentication. This update addresses the issue by ensuring that the most secure available mechanism is used. This issue does not affect systems running Mac OS X 10.5 or later.

Impact: Parsing regular expressions may lead to arbitrary code execution

Description: A length calculation issue exists in the polymorphic opcode support in the Perl Regular Expression compiler. This may allow an attacker to cause memory corruption leading to arbitrary code execution by switching from byte to Unicode (UTF) characters in a regular expression. This update addresses the issue by recomputing the length if the character encoding changes. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.

Impact: Processing image content with imageop module may lead to an unexpected application termination or arbitrary code execution

Description: Multiple integer overflows exist in python's imageop module. These may cause a buffer overflow to occur in applications which use the module to process maliciously crafted image content. This may lead to an unexpected application termination or arbitrary code execution. This updated addresses the issue by performing additional validation of image content.

Quick Look

CVE-ID: CVE-2007-5856

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Previewing a file with QuickLook enabled may lead to the disclosure of sensitive information

Description: When previewing an HTML file, plug-ins are not restricted from making network requests. This may lead to the disclosure of sensitive information. This update addresses the issue by disabling plug-ins. This issue does not affect systems prior to Mac OS X 10.5.

Quick Look

CVE-ID: CVE-2007-5857

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Previewing a movie file may access URLs contained in the movie

Description: Creating an icon for a movie file, or previewing that file using QuickLook may access URLs contained in the movie. This update addresses the issue by disabling HREFTrack while browsing movie files. This issue does not affect systems prior to Mac OS X 10.5, or systems with QuickTime 7.3 installed. Credit to Lukhnos D. Liu of Lithoglyph Inc. for reporting this issue.

Description: Multiple ruby libraries are affected by SSL certificate validation issues. This may lead to man-in-the-middle attacks against applications that use an affected library. This update addresses the issues by applying the ruby patch.

ruby

CVE-ID: CVE-2007-5379, CVE-2007-5380, CVE-2007-6077

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: Multiple vulnerabilities exist in Rails 1.2.3

Description: Multiple vulnerabilities exist in Rails 1.2.3, which may lead to the disclosure of sensitive information. This update addresses the issue by updating Rails to version 1.2.6. This issue does not affect systems prior to Mac OS X 10.5.

Impact: Visiting a malicious website may result in the disclosure of sensitive information

Description: WebKit allows a page to navigate the subframes of any other page. Visiting a maliciously crafted web page could trigger a cross-site scripting attack, which may lead to the disclosure of sensitive information. This update addresses the issue by implementing a stricter frame navigation policy.

Safari RSS

CVE-ID: CVE-2007-5859

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Accessing a maliciously crafted feed: URL may lead to an application termination or arbitrary code execution

Description: A memory corruption issue exists in Safari's handling of feed: URLs. By enticing a user to access a maliciously crafted URL, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of feed: URLs and providing an error message in case of an invalid URL. This issue does not affect systems running Mac OS X 10.5 or later.

Description: Multiple vulnerabilities exist in Samba, the most serious of which is remote code execution. This update addresses the issues by applying patches from the Samba project. Further information is available via the Samba web site at http://www.samba.org/samba/history/security.html CVE-2007-4138 does not affect systems prior to Mac OS X 10.5. Credit to Alin Rad Pop of Secunia Research for reporting this issue.

Description: Multiple vulnerabilities exist in Shockwave Player. By enticing a user to open maliciously crafted Shockwave content, an attacker may cause arbitrary code execution. This update addresses the issues by updating Shockwave Player to version 10.1.1.016. Credit to Jan Hacker of ETH Zurich for reporting the problem in Shockwave.

SMB

CVE-ID: CVE-2007-3876

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: A local user may be able to execute arbitrary code with system privileges

Description: A stack buffer overflow issue exists in the code used by the mount_smbfs and smbutil applications to parse command line arguments, which may allow a local user to cause arbitrary code execution with system privileges. This update addresses the issue through improved bounds checking. This issue does not affect systems running Mac OS X 10.5 or later. Credit to Sean Larsson of VeriSign iDefense Labs for reporting this issue.

Description: When Software Update checks for new updates, it processes a distribution definition file which was sent by the update server. By intercepting requests to the update server, an attacker can provide a maliciously crafted distribution definition file with the "allow-external-scripts" option, which may cause arbitrary command execution when a system checks for new updates. This update addresses the issue by disallowing the "allow-external-scripts" option in Software Update. This issue does not affect systems prior to Mac OS X 10.5. Credit to Moritz Jodeit for reporting this issue.

Spin Tracer

CVE-ID: CVE-2007-5860

Available for: Mac OS X v10.5.1, Mac OS X Server v10.5.1

Impact: A local user may be able to execute arbitrary code with system privileges

Description: An insecure file operation exists in SpinTracer's handling of output files, which may allow a local user to execute arbitrary code with system privileges. This update addresses the issue through improved handling of output files. This issue does not affect systems prior to Mac OS X 10.5. Credit to Kevin Finisterre of DigitalMunition for reporting this issue.

Spotlight

CVE-ID: CVE-2007-5861

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Downloading a maliciously crafted .xls file may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in the Microsoft Office Spotlight Importer. By enticing a user to download a maliciously crafted .xls file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of .xls files. This issue does not affect systems running Mac OS X 10.5 or later.

tcpdump

CVE-ID: CVE-2007-1218, CVE-2007-3798

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

Impact: Multiple vulnerabilities in tcpdump

Description: Multiple vulnerabilities exist in tcpdump, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating tcpdump to version 3.9.7. This issue does not affect systems running Mac OS X 10.5 or later.

Impact: Multiple vulnerabilities in the handling of regular expressions

Description: Multiple vulnerabilities exist in the Perl Compatible Regular Expressions (PCRE) library used by XQuery, the most serious of which may lead to arbitrary code execution. This update addresses the issue by updating PCRE to version 7.3. Further information is available via the PCRE web site at http://www.pcre.org/ This issue does not affect systems running Mac OS X 10.5 or later. Credit to Tavis Ormandy and Will Drewry of Google Security Team for reporting this issue.